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DETAILED ACTION 

This final office action is prepared in response to the applicant's amendments and 
arguments filed on December 21, 2009 as a reply to the non-final office action mailed on 
September 29, 2009. 

Claims 1-6, 8-9, 1 1 and 23-31 were pending in the previous office action; 

Claim 24 has been cancelled since; 

Claims 1, 3, 9, 23, 25 and 27-31 are amended; 

Claims 1-6, 8-9, 11, 23 and 25-31 are now pending; 

Response to Arguments 

Applicant's arguments and amendments filed on December 21, 2009 have been carefully 
considered but deemed unpersuasive in view of the following new grounds of rejection as 
explained herein below, necessitated by Applicant's substantial amendments to the claims which 
significantly affected the scope thereof, and will require further search and consideration. 

In an attempt to overcome the rejection, Applicant has amended claim 27 to include "An 
article of manufacture comprising a tangible, machine accessible storage medium." 

However, the amendments are not sufficient to overcome the rejection because they fail 
to cite "a machine-readable non-transitory storage medium." 



1. 



Claims 27-3 1 were previously rejected under 35 U.S.C. 101 . 
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2. The rejection of claims 3 and 25 under 35 U.S.C. 1 12 2 nd paragraph is withdrawn in view 
of the claim amendments. 

3 . Applicant has amended claims 1 , 4-6, 9- 1 1 , 23 , 27-3 1 to clarify that the steps in the 
claimed method are performed by an intermediate gateway. 

After a careful review of the amended claims and an updated prior art search, Examiner 
introduces a new ground of rejection under 35 U.S.C. 103(a) based on a newly found reference 
Maher et al. (US 7,406,709). 

Accordingly, THIS ACTION IS MADE FINAL. See MPEP 706.07(a). Applicant is 
reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

4. Claims 27-31 are rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non- statutory subject matter. 

Claim 27 recites "an article of manufacture comprising a tangible machine accessible 
storage medium." 

However, according to one of ordinary skill in the art, "a tangible, machine accessible 
storage medium" may include transitory media such as a signal or a carrier wave, leading the 
claimed invention to include unpatentable subject matter. 
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Therefore, Applicant is suggested to amend the claim to cite "a machine-readable non- 
transitory storage medium." 

Claims 28-31 are dependent on claim 27, but fail to further limit claim 27 to statutory 
subject matter, therefore inherit the 35 U.S.C. 101 issue of the independent claim. 



Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claims 1-2, 5-6, 9, 11, 23, 27-31 are rejected under 35 U.S.C. 103(a) as obvious over 
Maher et al. (US 7,406,709, hereinafter "Maher"), in view of Crosbie (US 2002/0035699). 

Regarding claim 1, Maher disclosed a method for an intermediary gateway to selectively 
couple an external network and an internal network to dynamically generate filter rules to 
facilitate establishing an end to end secure session connection between a first device on the 
internal network and a second device of the external network (Maher, "Abstract" and Figs, la, 
lb, 7 and col. 5, lines 10-67 disclosed a nCite/NTS, anNAPT Firewall and an NTA (i.e. network 
transversal agent), which together form an entity that anticipates the intermediary gateway in the 
current claim), the method comprising: 
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receiving by the intermediary gateway, a secure session establishment request by the 
second device on the external network to establish a secure communication session with the first 
device on the internal network (Maher, Fig. 7 and col. 16, lines 9-53 disclosed a signaling 
diagram showing an inbound VoIP call from a device in the public network, where an example 
of the device can be found in Fig. 1 and said device anticipates the "second device" in the clam"; 
The "INVITE" message that is received by the nCite and then the NTA anticipates "a secure 
session establishment request" in the claim); 

forwarding by the intermediary gateway, the secure session establishment request to the 
first device (Maher, Fig. 7 showed that NTA forwards the INVITE message to an IP phone (with 
the address 10.10.108. 10) in the private network; here the IP phone in the private network 
anticipates "the first device" in the claim); 

monitoring by the intermediary gateway, the internal network to detect an approval or 
disapproval acknowledgement by the first device for the secure session establishment request 
(Maher, Fig. 7 disclosed that NTA and nCite/NTS receives the 200OK from the private IP 
phone, where the 200OK anticipates "an approval acknowledgement" in the claim); and 

configuring by the intermediary gateway, a first filter rule of the intermediary to allow 
communication between the first and second devices through the intermediary, if an approval 
authentication acknowledgement is detected by the intermediary gateway (Maher, Fig. 7 and col. 
15, lines 23-38 disclosed that after receiving the 200OK, the nCite/NTS sends an Anchor 
message to the NTA, and the NTA then sends a Test packet to the firewall to create an entry in 
the address/port translation table so that the firewall will allow the media data to flow through); 
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Maher did not explicitly disclose 

determining by the intermediary gateway, whether network traffic from the second device 
is corresponding to a previous secure communication session established when the second device 
was previously on the internal network, wherein the second device uses an address that is 
globally routable on the internal and the external networks and therefore said network traffic is 
valid with respect to the internal network; and 

responding by the intermediary gateway, to said network traffic with an error and forcing 
the second device to re-establish a secure communication session from the external network. 

However, Crosbie disclosed that in a system where when mobile devices connect to a 
network protected by Gateway Server and Firewall (Crosbie, Fig. 1), the mobile device is 
typically required to re-establish a stateful end-to-end connection such as IPSec (Crosbie, 
[0008]), which is essentially what the above cited claim elements try to do. 

One of ordinary skill in the art would have been motivated to combine Maher and 
Crosbie because both disclosed establishing a secure end-to-end connection between a client 
device in a first network and a device in a second network (Maher, Figs, lb-lb; Crosbie, Fig. 1). 

Therefore, it would have been obvious for one skilled in the art to combine Maher and 
Crosbie's teaching to realize that if the client device in Maher were a roaming mobile that moved 
outside its previous network, the secure end-to-end would have to be re-established. 
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Claim 27 lists substantially the same elements of claim 1, but in product form rather than 
method form. Therefore, the supporting rationale of the rejection to claim 1 applies equally as 
well to claim 27. 

Regarding claims 2 and 28, the combination of Maher and Crosbie disclosed the method 
of claims 1 and 27. 

Maher further disclose determining by the intermediary gateway, a presence 
advertisement for the first device has been received before forwarding the secure session 
establishment request to the first device (Maher, col 1 6, lines 38-52 disclosed that the IP phone 
in the private network must first register with the nCite/NTS; then when the nCite/NTS receives 
the INVITE message, it can lookup the private address of the IP phone based on the registration 
information; the register message shown in Maher, Fig. 7 anticipates "a presence advertisement" 
in the claim; and the lookup step performed by the nCite/NTS is essentially the same as 
"determining a presence advertisement for the first device has been received"). 

Regarding claims 5, 29, the combination of Maher and Crosbie disclosed the subject 
matter of claims 1 and 27, respectively. 
Maher further disclosed 

receiving by the intermediary gateway, a service request from the second device for the 
first device, the service request having an associated communication port for performing the 
service (Maher, col. 15, lines 6-9 disclosed that the INVITE cotains a Session Description 
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Protocol (SDP) parameter that specifies the address and port the IP phone will use to receive 
media traffic); 

determining by the intermediary gateway, the service request identifies a service 
advertised by the first device in a device description document (Maher, col. 16, lines 46-53, 
where it is implicit the register message advertises the voice service); and 

configuring by the intermediary gateway, a second filter rule to allow communication 
between the first device and the second device using the associated communication port (Maher, 
Fig. 7 and col. 15, lines 23-38). 

Regarding claims 6 and 30, the combination of Maher and Crosbie disclosed the subject 
matter of claims 1 and 27, respectively. 

Providing by the intermediary gateway, the second device with an indicia for use by the 
second device in establishing a communication link to the first device (Maher, Fig. 7 shows that 
a 200ok was sent by the nCite/NTS to a device in the public network, where the 200OK carries 
the IP address and port number the inbound media data can be sent from the public network to 
the private network; here nCite/NTS is a part of the intermediary gateway). 

Regarding claims 9 and 31, the combination of Maher and Crosbie disclosed the method 
of claims 1 and 27. 

Maher further disclosed 

retrieving an Access Control List (ACL) from the first device, the ACL including an 
identification of devices authorized to establish communication sessions; and determining by the 
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intermediary gateway, based at least in part on the ACL the second device is authorized to 
establish the secure communication session with the first device before forwarding the secure 
session establishment request to the first device (Maher, col. 3, line32 disclosed static filtering 
rules called Access Control Lists (ACL)). 

Regarding claim 11, the combination of Maher and Crosbie disclosed the method of 
claims 1 and 27. 

Maher further disclosed establishing by the intermediary gateway, the end to end secure 
session connection between the first device on the internal network and the second device of the 
external network in a single end to end secure session connection between said first and second 
devices (Maher, Figs. 6 and 7). 

Claim 23 lists substantially the same elements of claim 1, but in system form rather than 
method form. Therefore, the supporting rationale of the rejection to claim 1 applies equally as 
well to claim 23. 



6. Claim 3 is rejected under 35 U.S.C. 103(a) as obvious over Maher and Crosbie, further in 
view of Moyer et al.(U.S. 2002/0103898, hereinafter "Moyer"). 

Regarding claim 3, the combination of Maher and Crosbie disclosed the method of 
claim 2. 

Maher did not explicitly disclose wherein the presence advertisement is delivered in 
accordance with the UPnP Simple Service Discovery Protocol (SSDP). 
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However, Moyer disclosed a device messaging protocol (DMP) and explicitly states that 
it is similar to universal plug n play (UPnP) Device Control Protocol and the DMP protocol 
includes a Register message to announce to the network a device's presence (Moyer, [0042]). 

Moyer's disclosure makes it clear that at the time the invention was made, it was well 
known by one skilled in the art that UPnP, just like the SIP based DMP, can be used to facilitate 
communication between devices in a public network and those in a private network, motivating 
one to migrate the knowledge well known in systems using SIP into the systems using UPnP. 

As UPnP Simple Service Discovery Protocol (SSDP) is the protocol in UPnP framework 
for discovering device, which serves the same purpose as SIP REGISTER, it would have been 
obvious for one to substitute UPnP for SIP in Maher to achieve the same result. Such 
modification, along with the combination of Maher and Crosbie, would have resulted in a remote 
home appliance control system using UPnP with end-to-end security. 



7. Claim 4 is rejected under 35 U.S.C. 103(a) as obvious over Maher and Crosbie, further in 
view of Cho (U.S. 2003/0217136). 

Regarding claim 4, the combination of Maher and Crosbie disclosed the method of 
claim 1 . 

Maher did not explicitly disclose receiving network traffic from the second device 
corresponding to the second device requesting a UPnP Device Description Document from the 
first device. 
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However, in a system for controlling appliances in an internal network from an external 
network, Cho disclosed using UPnP and receiving network traffic from the second device 
corresponding to the second device requesting a UPnP Device Description Document from the 
first device (Cho, Fig. 7 and [0071] disclose that upon receiving a service description request 
message from the stub 102 (step 717), the agent 131 sends the received message to the bridge 
132 (step 718), which then transfers it to the specific UPnP device (step 719)). 

One of ordinary skill in the art would have been motivated to combine Maher and Cho 
because both disclosed accessing devices in an internal network from a device in an external 
Internet via a proxy (Maher, Figs, la-lb; Cho, Fig. 1). 

Therefore, it would have been obvious for one to apply Maher' s teaching of a general 
purpose method for creating end-to-end secure session using any protocols to Cho's system to 
achieve the desirable result of securing the communications between Cho's wired/wireless 
internet client and UPnP home devices such that the UPnP devices will not be tempered by 
malicious clients from the internet. 



8. Claims 25-26 are rejected under 35 U.S.C. 103(a) as obvious over Maher and Crosbie, 
further in view of Cho (U.S. 2003/0217136) and the article "UPnP™ Security Ceremonies 
Design Document For UPnP Device Architecture 1.0" authored by Ellison and published by the 
UPnP Forum (hereinafter "Ellison"). 
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Regarding claim 25, the combination of Maher and Crosbie disclosed the system of 
claim 23. 

Maher did not explicit disclose wherein the first device communicates with the second 
device in accord with the UPnP Security Protocol. 

However, disclosed that the first device communicates with the second device in accord 
with the UPnP Security Protocol (Cho, Fig. 1 and "Abstract" disclosed using UPnP framework to 
control devices in an internal network from a device in an external network). 

However, Cho disclose a UPnP-based system for controlling appliances in an internal 
network from an external network (Cho, Fig. 1 and "Abstract"), while Ellison disclosed a UPnP 
security protocol, for a UPnP system. 

One of ordinary skill in the art would have been motivated to combine Maher and Cho 
because both disclosed accessing devices in an internal network from a device in an external 
Internet via a proxy(Maher, Figs, la-lb; Cho, Fig. 1). 

Therefore, it would have been obvious for one skilled in the art to combine Maher's 
teaching of a general purpose method for creating end-to-end secure session using any protocols 
with Cho's teaching of a UPnP framework for controlling UPnP compatible home appliances 
and realize that the UPnP security protocol disclosed by Ellison is an obvious choice for Cho's 
security needs. 

Regarding claim 26, the combination of Maher and Crosbie disclosed the system of 
claim 23. 
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Maher did not explicitly disclose that the secure communication initiation request 
corresponds to a UPnP Set Session Key (SSK) request. 

However, Cho disclose a UPnP-based system for controlling appliances in an internal 
network from an external network (Cho, Fig. 1 and "Abstract"), while Ellison disclosed a UPnP 
security protocol for an UPnP system, where a UPnP Set Session Key (SSK) request is used to 
initiate a secure communication (Ellison, page 13, section 5, "Session Keys") 

Therefore, it would have been obvious for one skilled in the art to combine Maher's 
teaching of a general purpose method for creating end-to-end secure session using any protocols 
with Cho's teaching of a UPnP framework for controlling UPnP compatible home appliances 
and realize that the UPnP security protocol disclosed by Ellison is an obvious choice for Cho's 
security needs. 



9. Claim 8 is rejected under 35 U.S.C. 103(a) as being unpatentable over Maher and 
Crosbie as applied to claim 1 above, further in view of Le et al. (U.S. 2005/01 1 1382, hereinafter 
"Le"). 

Regarding claim 8, the combination of Maher and Crosbie disclosed the method of 
claim 1 . 

Maher did not explicitly disclose but Le disclosed that communication within the internal 
network is in accord with an IPv6 compatible Internet Protocol (IP) (Le, [0014] discloses that the 
architecture as illustrated in FIG. 1 has been recently adopted in 3GPP for the internetworking of 
IPv6 and IPv4 domains; In 3GPP, it is inherent that the internal network uses IPv6). 



Application/Control Number: 10/815,396 Page 14 

Art Unit: 2444 

One of ordinary skill in the art would have been motivated to combine Maher and Le 
because both disclosed using a firewall to secure communications between devices in two 
networks (Maher, Figs, la- lb; Le, Fig. 2). 

Therefore, it would have been obviousness for one of ordinary skill to integrate Le's 
teaching of supporting IPv6 into Maher such that Maher' s system supports IPv6 as the network 
technology progresses and IPv6 becomes the new standard for mobile networks. The 
combination would have made Maher' s invention more readily available for mobile networks 
that run on IPv4. 



Conclusion 

THIS ACTION IS FINAL. Applicant is reminded of the extension of time policy as set forth in 
37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 
1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, 
will the statutory period for reply expire later than SIX MONTHS from the mailing date of this 
final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHIRLEY X. ZHANG whose telephone number is (571)270- 
5012. The examiner can normally be reached on Monday through Friday 8:00am - 5:30pm EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, William Vaughn can be reached on (571) 272-3922. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/S.X.Z./ Art Unit 2444 
2/3/2010 

/William C. Vaughn, Jr./ 

Supervisory Patent Examiner, Art Unit 2444 



